- NAT is working for my web server with src-nat rule #0 in the config and dst-nat rule #2
- Hairpin NAT is also working for devices on the LAN to access the web server, with src-nat rule #1 and dst-nat rule #2
- UPnP is working fine from the WAN with src-nat rule #0 and dynamic dst-nat rule #3
- UPnP does not work for devices on the LAN to access the server, because the dynamic dst-nat rule requires in-interface=ether1 (ether1 is my WAN port). For traffic coming from LAN clients, the in-interface is the bridge, not ether1.
Questions:
- Can I tell the UPnP service to generate dynamic rules without in-interface=ether1?
- If not, what else can I do to make UPnP and Hairpin NAT to work together?
Here is my NAT config:
Code: Select all
> ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: src nat
chain=srcnat action=src-nat to-addresses=<my wan ip>
src-address=192.168.1.0/24 out-interface-list=WAN log=no log-prefix=""
ipsec-policy=out,none
1 ;;; defconf: hairpin nat
chain=srcnat action=src-nat to-addresses=<my wan ip>
src-address=192.168.1.0/24 dst-address=192.168.1.0/24
out-interface-list=LAN log=no log-prefix=""
2 ;;; Web server
chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=tcp
dst-address-list=WanIP dst-port=80 log=no log-prefix=""
3 D ;;; upnp 192.168.1.3: TCP
chain=dstnat action=dst-nat to-addresses=192.168.1.3 to-ports=53052
protocol=tcp dst-address=<my wan ip> in-interface=ether1 dst-port=53052